CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Financial Firms Confront Cyber Risk

Financial services firms face common obstacles in their efforts to stay a step ahead of cybercriminals, but there are numerous strategies that can help.

It would be difficult to find a firm untouched by the threat of cybercrime today, but financial services institutions (FSIs) likely face more risk than most, given their treasure trove of personally identifiable information. FSIs incur high average costs from cybercrime each year, amounting to $28.3 million in 2015 (Figure 1). Little wonder cyber exposures rank second only to regulatory and compliance concerns among the types of risks FSIs believe will increase the most in importance to their companies.

FSIs are dedicating plenty of money and technology to cyber risk management, yet many are still struggling to keep up despite several years of efforts to bolster cybersecurity capabilities. Because of the pace of attacks and the growing sophistication of threat actors, basic blocking and tackling strategies to lock down devices, systems, and platforms remain a work in progress at many companies.

Companies are also facing multiplying—and often conflicting—demands reconciling digital initiatives with cybersecurity concerns. Amid the massive technological transformation now underway in financial services, companies are being asked to become more agile and provide a frictionless customer experience. They must also grapple with the need to reduce costs while complying with complex regulations and managing an increasingly global workforce.

The Deloitte Center for Financial Services interviewed CISOs and cyber risk management experts from the banking, insurance, and investment management sectors to identify the biggest challenges FSIs face. Those interviewed shared cyber war stories, citing a wide variety of obstacles and frustrations. Some respondents describe themselves as “first responders,” putting out a never-ending series of brush fires while trying to head off a cyber “inferno” that could take down the enterprise.

Here are the top challenges respondents identify—and strategies that can be considered for overcoming them.

Balancing present and future needs. New threats emerge almost daily, and legacy systems need frequent maintenance and security upgrades. Some CISOs report spending half their time or more patching and repatching systems and applications. Meanwhile, FSIs are under pressure to be nimbler and respond to changing conditions quickly. A balancing act is required to address current vulnerabilities in existing systems while also implementing security for new applications and technologies. Potential solutions include:

Plan for future innovations with cyber risk management in mind.

Improve agility by implementing new security protocols and other changes in short sprints.

Focus on pacing and monitoring to keep everyone working toward the same goal.

Create a team to bring security initiatives to each line of business via in-person briefings, emails, and phone calls.

Investing wisely. Cybersecurity budgets have been steadily increasing. On the positive side, that means FSIs are willing to invest to defend their operations from hackers and other cyberthreats. However, spending increases are unlikely to continue in perpetuity, and companies are already looking for a quantifiable return on their risk management investment. CISOs are under pressure to identify their most critical spending needs and demonstrate tangible results. Potential solutions include:

Evaluate the spending impact of any potential new solutions.

Gather enough resources to implement them effectively.

Hire personnel required to execute plans.

Invest in customer and employee cyber risk training.

Allocate budget not just in IT but across the enterprise, including operations and infrastructure, application development, and human capital.

Getting the right talent. Cyber risk efforts require people with a rare combination of technical skills, business knowledge, and strategic thinking, so it’s not surprising that recruiting, developing, and retaining top talent is the No. 1 problem for most CISOs. One CISO estimates his department spends 20 percent of its time seeking talent. Potential solutions include:

Look beyond FSIs when building teams. It may be easier to train newcomers for industry knowledge than for tech skills, so recruit for the latter. Those with backgrounds in military and government intelligence can often be a particularly good fit.

Exercise strong onboarding routines when hiring from outside the industry to shorten the learning curve for outsiders.

Lining up the right tools. Vendor solutions for cyber risk management are proliferating, and it can be difficult to discern which tools are the right fit. Meanwhile, integration with existing software is tricky and may cost as much as the products themselves—or more. The resulting challenges can undermine effective cyber risk management. Potential solutions include:

Seek out integrated solutions that reduce the headache of adding tools.

Look nationally and globally: Silicon Valley and Israel each boast an abundance of innovative cyber startups.

Consider implementing cyber risk managers for each line of business—one company slashed critical risks by 86 percent with this model.

Reporting results. CISOs are spending more time reporting on what they do, and it’s often measured against unsatisfactory metrics due to a lack of standardization across the cybersecurity industry. Besides wasted time and increased frustration levels, there are also competitive implications, as commercial clients may include cyber risk management assessments in requests for proposals. Potential solutions include:

Take an enterprisewide view when assessing vulnerabilities, and don’t overreact to new threats in the news.

Shift the reporting focus from the number of attacks to the degree of penetration and response time.

Collaborate within the industry and beyond to set the bar for cyber risk management, support wider standardization efforts, and align on effective approaches.

Sharing cyber risk intelligence. There isn’t much in the way of centralized, FSI-specific cyber risk information today, and it’s often difficult to share data or experiences with other companies because of regulatory hurdles, legal ambiguity, and competitive concerns. Potential solutions include:

Foster trust with cybersecurity colleagues from other firms within the industry and beyond.

Focus on quality rather than quantity of information, paying particular attention to action-based response intelligence.

Work toward improved analytics and automation of threat intelligence assessments.

For those on the front lines in cyber risk management, the good news is that senior leadership and board members are increasingly aware of the seriousness of cyber risks and have been supportive of efforts and investments to make FSIs more secure, vigilant, and resilient. At the same time, however, many FSIs continue to feel underprepared to detect and ward off the ever-evolving threat of massive financial fraud, data loss, or other cybercrimes against their companies or the overall financial ecosystem.

And despite their best efforts, many FSIs are likely to see their systems breached or compromised at some point, so recovery and resiliency are both critical considerations. Several CISOs interviewed are running live exercises so they can keep their businesses up and running after a serious event. One goes so far as to note, “We are preparing to recover our services from bare metal if necessary.”

In the end, CISOs cannot defend their organizations alone. They need collaboration and cooperation as well as shared responsibility and accountability to foster a cybersecurity mentality across the entire enterprise.

Related Deloitte Insights

All too often, organizations view cybersecurity as an effort conducted entirely within company walls. For those with business partners, true security often depends on a collaborative plan for incident response.

A front-row seat at the nexus of security, information, and the economy prepares CIOs to educate others on cybersecurity, says retired Navy Adm. James Stavridis, dean of The Fletcher School of Law and Diplomacy at Tufts University and former supreme allied commander of the NATO Alliance. CIOs’ unique vantage point can help them safely navigate the metaphorical cyber seas.

Cyberattacks have traditionally targeted specific companies or industries, but today’s ransomware is changing the rules, resulting in an increased threat for organizations of all types and sizes. It’s now a business issue with far-reaching effects, and CIOs can help ensure everyone understands the implications.

Editors Choice

CIOs with a bold vision can transform IT operations with emerging technologies and demonstrate to other leaders how to do the same across the enterprise, says Bill Briggs, CTO of Deloitte Consulting LLP. By providing business context that can help their peers understand and evaluate technology’s potential, CIOs can help drive enterprisewide business transformation.

Incoming CIOs may face a raft of decisions about technology projects, business initiatives, and hiring or promoting talent, but the first 100 days of a new CIO’s tenure are a time for learning about and evaluating the business, IT function, talent, and culture. Long- and short-term strategic IT plans built on this solid foundation of knowledge can help new CIOs succeed, according to a recent analysis of data from Deloitte’s CIO Transition Lab.

CIOs transitioning into new IT leadership roles often encounter different opportunities and challenges depending on whether they are internal hires from within the IT team or outside the IT function, external hires, or are leading a team through an M&A or divestiture.

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more